Microsoft’s General Counsel: N.S.A. Hacks Were an ‘Earthquake’ for Tech

By NICOLE PERLROTH

December 5, 2013

Microsoft is the latest company to try to protect its data from its own government.

An article on Thursday indicates that Microsoft is in the process of expanding and strengthening the encryption for popular services including the email service Outlook.com, Office 365 apps, the Azure cloud-computing service and Skydrive online storage. It is also adding an encryption technology, called Perfect Forward Secrecy, that thwarts eavesdropping.

The company is also scrambling the links between its data centers in an effort to assure users and foreign governments that their data is not free for the National Security Agency’s taking.

The company says encryption and Perfect Forward Secrecy will become the default setting for users by the end of 2014.

The announcement follows similar efforts by Google, Twitter, Mozilla, Facebook and Yahoo. But Microsoft said it will also go several steps further, by making a contractual promise to business and government customers that it will alert them if it receives legal orders related to their data — and fight every gag order in court.

Microsoft will also open up so-called transparency centers, where governments can inspect its products code for back doors.

Bradford L. Smith, right, Microsoft’s general counsel, said the goal of stronger encryption is to force would-be government snoops to go to court — not hack into data centers — for customers information.

Stephen Brashear / Getty Images

Bradford L. Smith, Microsoft’s general counsel, said the company had long considered such efforts, but was jolted to action after recent reports that the N.S.A. may be gaining access to companies’ data without their knowledge.

“The idea that the government may be hacking into corporate data centers was a bit like an earthquake, sending shock waves across the tech sector,” Mr. Smith said in an interview. “We concluded that we better assume that there might be such an attempt at Microsoft, or has already been.”

The end goal, Mr. Smith said, is to force would-be snoops to go to court — not hack into its data centers — for customers’ data. “We all want to live in a world that is safe and secure, but we also want to live in a country that is governed by the Constitution.”

And therein lies the rub. Microsoft’s efforts — and for that matter Google’s, Twitter’s, Mozilla’s, Facebook’s and Yahoo’s — still do not prevent the government from gaining access to their data through a court order. And some security experts point out that even if companies like Microsoft allow outsiders to inspect their code, that only eliminates one mode of attack; snoops could still find holes in other parts of the system.

To make governments’ jobs more difficult, executives at Lavabit and Silent Circle, two secure message providers, have been lobbying major Internet companies to adopt a new Dark Mail e-mail protocol that would encrypt user data and metadata in such a way that it would leave the keys with the user, not the provider. Dark Mail would thereby force governments, or hackers, to go straight to the user to unscramble their data.

But Mike Janke, a co-founder at Silent Circle, said he was skeptical they would adopt the protocol because companies rely on access to user data to serve up targeted ads.

“The real friction point is that Yahoo, Google and Microsoft make money mining off free email,” Mr. Janke said in an interview. “They say they’re concerned about user privacy. Now we’ll see if they really care.”